Independent Investigations Office of BC

Overview

In 2012, Canada’s Ministry of Justice established the Independent Investigations Office of British Columbia (IIOBC) to raise public confidence in police oversight, accountability, and transparency. The civilian-led body investigates officer-related incidents that result in death or serious injury in the Canadian province of British Columbia (BC). It reports to the Crown Counsel if there is reason to believe an officer committed an offense under the Police Act. Officers employed by the Royal Canadian Mounted Police (RCMP), Transit Police, Special Provincial Constables, and Tribal Police are all subject to IIOBC jurisdiction.

IIOBC’s staff includes investigators, corporate, and supporting staff. To fulfill its function, IIOBC deals with highly sensitive information in reports, audiotapes, photos, video, location details, and third-party accounts. As of January 2015, over 80 cases were conducted. Public reports only reveal the names of officers and involved parties when those names are already part of public record. In all other cases, the protection of individual privacy is a primary concern.

Challenges

Internal audits are an important step in gauging the security status of IIOBC. The organization is a target for hacktivist attacks due to its affiliation with government and the nature of its caseload. Recommendations emerging from a February 2015 audit prompted the organization to search for an IT security officer who could evaluate and implement more security products. “When I came to work for the IIOBC network, I took the approach that the network had already been breached,” said Richard D’Souza, the new IT security expert at IIOBC. “Many IT managers think their networks are safe, but they don’t understand the threats that are lurking underneath the surface.”

"Deep Security is a solid product that has many powerful features and is well positioned as a leading enterprise product in the market."

Richard D’Souza,
IT Security, Independent Investigations Office of BC

After coming to IIOBC, D’Souza saw a need for a layered defense to protect against external threats and advanced malware, to protect communications made from desktops, and to prevent targeted email and phishing campaigns from reaching users. D’Souza also saw the need to monitor insider threats, which could range from accidental misconfigurations and visits to unsafe websites to intentional acts. “When attackers are in your network, you need to know when the malware entered your environment, what assets were compromised, and how much data was infiltrated out,” said D’Souza.

Why Trend Micro

To protect its virtual environment and add a layer of defense on top of its Check Point firewall, IIOBC chose Trend Micro™ Deep Security™. D’Souza was familiar with Deep Security’s scalability in virtual environments from a proof of concept performed at another organization when he was working on that company’s super data center project. “Deep Security is a solid product that has many powerful features and is well positioned as a leading enterprise product in the market,” said D’Souza.

"The quickest win for us was to roll out all the Deep Security modules and use them on servers and desktops. It was easy to do, and we were protected within two weeks."

Richard D’Souza,
IT Security, Independent Investigations Office of BC

Deep Security had the capabilities to meet audit recommendations, and it was already in-house. IIOBC was using the anti-malware feature on servers but had not unlocked other features of the product. It was also using Trend Micro™ Worry-Free™ to protect desktops. “The quickest win for us was to roll out all the Deep Security modules and use them on servers. It was easy to do, and we were protected within two weeks,” said D’Souza.

Solution

IIOBC uses all Deep Security modules to protect its environment: anti-malware with web reputation, intrusion prevention, bidirectional host-based firewall, integrity monitoring, and log inspection. Deep Security integrates with Trend MicroTM Smart Protection NetworkTM to quickly identify viruses, spyware, and malware. IIOBC can set custom levels of protection based on the latest global threat intelligence for web reputation. “We use a high setting to block web pages that are dangerous or suspicious. If Trend Micro hasn’t checked a website through Deep Security, we do not allow our staff access to the site,” said D’Souza.

IIOBC added a firewall to servers and put firewalls on all desktops as part of a layered defense. “In the unlikely event a threat bypasses all the layers, takes over a machine, and tries to attack other machines, we will pick it up,” said D’Souza. Intrusion prevention offers visibility into attacks the firewall misses. Its virtual patching capability allows IIOBC to quickly push protection to desktops and servers. “We can’t patch all systems all the time, but when attacks like Heartbleed and Poodle happen, we can quickly shield ourselves from those threats,” said D’Souza. Log inspection satisfies auditors with a record of who logged into the system, while integrity monitoring detects changes in core files.

Some of the IIOBC laptops spend relatively long periods of time in the field. In these cases, IIOBC uses Deep Security as a Service (DSaaS) to keep laptop protection up-to-date. DSaaS is the cloud based version of Deep Security that provides security for cloud instances. “We wanted updates, signatures, and the ability to control each machine in terms of policy,” said D’Souza, who expects to manage onpremises security through DSaaS in the future. “Our data is always going to be here in Canada under our possession. But we see promise in moving the management of security into the cloud with Deep Security as a Service.”

To comply with audit recommendations and protect the confidentiality of classified information, IIOBC needed endpoint encryption. D’Souza knew Trend Micro Endpoint Encryption by reputation for its ease of integration with Windows Active Directory and its FIPS-compliant technology. He requested a trial, which required importing test users into the Endpoint Encryption server, then deploying the agent on laptops. Laptops were de-crypted with BitLocker, then re-encrypted with Endpoint Protection. “We can log into Active Directory and Endpoint Encryption with the same set of credentials. And the cache works really well,” he said.